lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1724813208.20030724002426@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: NEW windows password encryption flaw..

Dear Darren Bennett,

Windows  uses  password  hash  in  a  same  way  as  Unix uses cleartext
password.  Having  password  hash  you  can  connect  to Windows network
without  knowledge  of  cleartext  password (I spent 2 minutes to modify
smbclient to use hash instead of password and 5 minutes to test, you can
try  to  do  it  as  a  challenge...  Hint:  all you need is to skip MD4
encoding  if  password  is already looks like MD4 hash). So, cracking of
Windows hashes gives you nothing in fact.


--Wednesday, July 23, 2003, 9:48:51 PM, you wrote to full-disclosure@...ts.netsys.com:

DB> Is this new? I read about it on slashdot...

DB> http://lasecpc13.epfl.ch/ntcrack/

DB> Basically, it seems that Microsoft has (yet again) screwed up the
DB> implementation of their encryption scheme. This makes cracking any hash
DB> a matter of seconds. Oops... 


-- 
~/ZARAZA
????????? ???? ? ???, ?????? ?? ????. (???)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ